What action we've taken in Q4, what you've reported to us and what 
you can do to stay secure 


Data security incidents, which are breaches of the seventh data protection principle or personal data breaches reported 
under the Privacy and Electronic Communications Regulations, are a major concern for those affected and a key area 

of action for the ICO. We have published this information to help organisations understand what we're seeing and help 
them to take appropriate action. 


What action we've taken in Q4 


One fine 


We fined The Carphone Warehouse Ltd £400,000 after serious failures put customer and employee data at 
risk. The company’s failure to secure a computer system allowed unauthorised access to the personal data of 
over three million customers and 1,000 employees. 


What you've reported to us 
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Data security incidents by most common types 


500 


450 


400 


350 


This was a 17% increase on Q3 (815 reports). 


Reported incidents 


@ Data posted or faxed to incorrect recipient 


@ Loss or theft of paperwork 


Data sent by email to incorrect recipient 


@ Failure to redact data 


© Failure to use bcc when sending email 


Total cyber security incidents per quarter 
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There were 957 reported data security incidents in Q4 


We believe recent increases are possibly due to increased 
awareness of the GDPR and the launch of our new 
Personal Data Breach helpline. 


Reported cyber security incidents increased by 
31% in Q4 of 2017-18 


This was the first month-on-month increase since Q4 of 
2016-17. 
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Reported incidents 


General business, education and local government were again the sectors with the 
most reported incidents 


This does not include health sector data. 


Data security incidents by sector, Q4 2017-18 


Justice 


Cyber incidents 


Data left in insecure location 


Reported incidents 


Data posted or faxed to 
incorrect recipient 


Data sent by email to 
incorrect recipient 


Failure to redact data 


Failure to use bcc when 
sending email 


Other principle 7 failure 


Insecure disposal of 
paperwork 


Loss/theft of only copy of 
encrypted data 


Loss/theft of paperwork 


Loss/theft of unencrypted 
device 


Verbal disclosure 


0 


Education 


Cyber incidents 


Data left in insecure location 


Reported incidents 


Data posted or faxed to 
incorrect recipient 


Data sent by email to 
incorrect recipient 


Failure to redact data 


Failure to use bcc when 
sending email 


Other principle 7 failure 


Insecure disposal of 
paperwork 


Loss/theft of only copy of 
encrypted data 


Loss/theft of paperwork 


Loss/theft of unencrypted 
device 


Verbal disclosure 


0 


13 


16 


12 


25 30 


Finance, insurance & credit 


Cyber incidents 


Data left in insecure location 


Reported incidents 


Data posted or faxed to 
incorrect recipient 


Data sent by email to 
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General business 
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Cyber incidents 


Data left in insecure location 


Reported incidents 
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Health sector in Q4 
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Education 


Reported incidents in this sector rose by 32% from Q3, 
from 96 to 127. Incidents involving loss or theft of 
paperwork rose from 6 to 16. 
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Charitable and giving 


Reported incidents in this sector rose by 69% from Q3, 
from 35 to 59. Incidents involving data sent to an 
incorrect email recipient rose from 4 to 20. 
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There was a 21% increase in reported health incidents in Q4 


This follows a 22% rise from Q2 to Q3. 


Breach reporting is mandatory in the health sector. This contributes to the health sector having the highest 
number of reports. 


Health sector incidents by type, Q4 2017-18 
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Various other principle 7 failures also accounted for a total of 121 further incidents. 


| 2017-18 financial year round-up 


Data security reports by month, 2017-18 financial year 
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Health sector in 2017-18 


Health sector incidents by type, 2017-18 financial year 
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Aside from health, general business was the 
sector with the most reports in the financial 
year 
There were 362 reports in this sector - incidents of 
emails being sent to the incorrect recipient (50) were 
most common. 

A 
Full statistics on the financial year 
Click here to download the csv or see the link at the 
bottom of this page. 
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Various other principle 7 failures also accounted for a total of 346 further incidents. 


What you can do to stay secure 
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Before releasing a redacted document, always follow these three tips: 


1. Consider metadata when redacting information. 


2. Check all data has been redacted and is not reversible before releasing. 


3. Get someone to double check redactions. 


We published the above information on 14 May 2018. We plan to update it each quarter. 
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